What happens to stolen PII?

Every week carries another story about data theft and loss from retailers, companies and even government agencies. Stolen data is traded and sold on underground marketplaces with better customer service than the best companies deliver to customers paying for legal goods. For example, a cybercriminal who buys a collection of credit cards only to discover than some have been cancelled is immediately offered money back or alternative credit card details.

But what happens before stolen data reaches the point of being openly sold? This is the question that Bitglass set to solve. In a blog posting from Christopher Hines, Product Marketing Manager, Bitglass and a report which can be downloaded here (registration required), Bitglass has revealed what happened to a file of supposedly stolen data it posted on the Internet.

The Excel file contained the name, address, phone number, credit card details and social security numbers for 1568 fictitious users. In order to track it, the file was sent through the Bitglass proxy in order to gain a watermark which sends a message back to the server every time the file is opened. The data gathered includes IP address, geographic region and device type allowing it to be tracked as it is sent between individuals and even different devices an individual might own.

So what data did Bitglass get? Over 12 days the call home information showed:

According to Rich Campagna, VP of Products and Marketing, Bitglass, "the data revealed in Nigeria and Russia a cluster of closely related IP addresses and times of access. We believe that this was groups of people discussing the data to decide what to do with the it." Campagna also said that Bitglass believes that these two groups indicate the location of two cyber crime syndicates in these countries. However, he didn't say if the IP addresses used by these groups had been reported to the relevant police authorities in those countries.

There were a number of other interesting facts gathered from this experiment. For example, the use of tracking watermarks is not new. Adobe introduced them over a decade ago and other document vendors have had them for longer. However, the fact that it was possible to gather so much data in just 12 days implies that cyber criminals are failing to carry out basic communications hygiene such as the use of proxies and VPN services when accessing stolen data.

In addition, a number of the addresses used to access the data came from within universities. Campagna believes that this is because cyber criminals see publically accessible networks as an easy access to the Internet that helps disguise who they are. The surprise is that it was universities rather than coffee shop chains that saw a high amount of traffic.

There are two obvious benefits here for most businesses. The first is a wake up call to show how quickly the data from any breach can be spread around the world and get into the hands of multiple cyber criminals. The second is that the use of watermarking technology can provide a way of tracking how data is being spread around the company and the devices that are being used to access the data.

The latter should interest security teams and those who are struggling to control the spread of personal devices throughout the enterprise. Tracking data will also help to reveal how widespread the use of unauthorised cloud-based file storage and collaboration is within an enterprise. With companies such as Skyhigh Networks already reporting that users in the average European enterprise already accessing over 800 cloud services using services such as Bitglass would at least provide greater insight in the types of services and data be stored in them.

Another area of interest is likely to be discovering how many different devices are being used by individuals especially as they share email accounts across devices. It is not uncommon for users to sync desktop/laptop, mobile phone and tablet with the same email account but with some business users still using Blackberry's as well, this means there are four devices susceptible to attack by hackers. This data would at least enable an IT organisation to reinstate some controls over access to corporate email.

This is an interesting experiment by Bitglass and one that will surprise more than a few people. The speed with which data moved and the fact that it was being discussed by groups clearly demonstrates that hacking is a business not a solo activity.

Image Credit: Perspecsys Photos